Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.

In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.

This new command acts as a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.

KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts: